Pages

Saturday, December 31, 2016

Skype for Business Server Access Edge service does not start

You’ve noticed that the Skype for Business Server Access Edge service on your Skype for Business Server 2015 Edge server is stopped and the following error is thrown when you attempt to start it:

Windows could not start the Skype for Business Server Access Edge on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to the service-specific error code -2146762487.

Reviewing the event log displays the following errors:

Log Name: System

Source: Service Control Manager

Event ID: 7031

Level: Error

The Skype for Business Server Access Edge service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 180000 milliseconds: Restart the service.

Log Name: System

Source: Service Control Manager

Event ID: 7024

Level: Error

The Skype for Business Server Access Edge service terminated with service-specific error %%-2146762487.

Log Name: Lync Server

Source: LS Server

Event ID: 12303

Level: Error

The protocol stack reported a critical error: code 0x800B0109 (Configuration failure prevented the server from starting up). The service has to stop.

Log Name: Lync Server

Source: LS Server

Event ID: 12303

Level: Error

The protocol stack reported a critical error: code 0x800B0109 (CERT_E_UNTRUSTEDROOT). The service has to stop.

Log Name: Lync Server

Source: LS Protocol Stack

Event ID: 14623

Level: Error

A serious problem related to certificates is preventing Skype for Business Server from functioning.

Unable to use the certificate configured for the external edge of the Access Edge Server.

Error 0x800B0109(CERT_E_UNTRUSTEDROOT).

The certificate may have been deleted or may be invalid, or permissions are not set correctly.

Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.

Cause: The Skype for Business Server failed to initialize with the configured certificate.

Resolution:

Review and correct the certificate configuration, then start the service again.

Log Name: Lync Server

Source: LS Protocol Stack

Event ID: 14397

Level: Error

A configured certificate could not be loaded from store. The serial number is attached for reference.

Extended Error Code: 0x800B0109(CERT_E_UNTRUSTEDROOT).

Clicking on the Details tab show the following:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

<Provider Name="LS Protocol Stack" />

<EventID Qualifiers="33769">14397</EventID>

<Level>3</Level>

<Task>1001</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2016-12-30T01:27:45.000000000Z" />

<EventRecordID>154713</EventRecordID>

<Channel>Lync Server</Channel>

<Computer>svr-edge-01.ccs.int</Computer>

<Security />

</System>

- <EventData>

<Data>0x800B0109(CERT_E_UNTRUSTEDROOT)</Data>

<Binary>A6AC495DE63987EAE958F6506F58377D</Binary>

</EventData>

</Event>

One of the first troubleshooting steps I attempted was from the following blog post:

Attempting to follow the instructions provided by this blog post does not apply to your situation:

As I’ve come across a similar problem in the past, I sort of had a feeling that this had to do with a certificate that was missing from the intermediate or root store of the Edge server. To determine this, open the Certification Path of the certificate being used for the Edge interface:

Note that the issuing Certificate Authorities are:

GeoTrust Global CA

RapidSSL SHA256 CA

In this environment, the Root certificate GeoTrust Global CA was already in the Trusted Root CertificationAuthorities but the RapidSSL SHA256 CA was not in the Intermediate Certification Authorities:

3 comments:

I had the same issue at a customer site, could not find the intermediate certificate anywhere for the External Edge certificate. I resolved it by exporting the certificate as .P7B including all the certificates in the certification path. Then I was able to open the exported file and then import the Intermediate certificate and select the Intermediate folder path. After that Access Edge could start.